KuuloAI notes for financial advisors in the EU: MiFID II suitability documentation on-device
MiFID II requires documented suitability assessments for every investment recommendation. EU financial advisors using cloud AI for client meeting notes face GDPR Article 28 DPA requirements and Article 46 transfer obligations. On-device processing produces compliant suitability documentation without the cloud compliance overhead.
- MiFID II Article 25(6) requires documented suitability assessments before investment recommendations. AI-generated meeting notes support this when reviewed and retained — reducing post-meeting documentation from 30–45 minutes to under 5.
- EU financial advisor client data is personal data under GDPR. Cloud AI tools processing meeting audio require Article 28 DPAs and Article 46 transfer mechanisms for US-hosted vendors.
- BaFin (Germany), AMF (France), AFM (Netherlands), and FI (Sweden) all supervise documentation quality. The five-year MiFID II retention requirement means notes generated today must be producible in 2031.
- EU wealth management is predominantly in-person. Bot-based notetakers cannot attend a client's home, the advisor's private office, or a family office meeting. On-device iPhone recording covers all settings.
MiFID II introduced the most comprehensive recording and documentation requirements in the history of European financial regulation. Investment firms must record all relevant telephone conversations and electronic communications that relate to client orders or could lead to a transaction. Written records of face-to-face meetings must be retained for five years. Suitability assessments must be documented and provided to the client in a suitability statement before the transaction is executed.
For financial advisors across the EU — wealth managers in Frankfurt, independent financial advisors in Paris, portfolio managers in Amsterdam and Stockholm — MiFID II created a documentation regime that is detailed, auditable, and mandatory. The administrative burden falls most heavily on independent advisors and smaller firms who cannot spread compliance costs across a large operations infrastructure.
AI documentation changes the time equation. But the regulatory and data protection architecture for AI in EU financial services is specific — and the wrong tool creates regulatory exposure that outweighs any efficiency gain.
MiFID II documentation: what is actually required
Under MiFID II Article 25(6) and the associated Delegated Regulation (EU) 2017/565, the suitability assessment documentation must cover: the client's knowledge and experience in the investment field, their financial situation including ability to bear losses, and their investment objectives including risk tolerance. The suitability statement must confirm that the recommendation is suitable and explain why.
For face-to-face meetings, the content of the interaction may be recorded through written minutes or notes. These minutes must be comprehensive enough to demonstrate, in any subsequent examination by the national competent authority (BaFin, AMF, AFM, FI, etc.), that the advisor fulfilled their suitability obligation.
"Discussed client's portfolio" is not sufficient. A defensible suitability record documents: the specific products discussed, the suitability criteria against which each was assessed, the client's stated preferences and objectives, and the basis for the recommendation made. These are records that an advisor would previously spend 30–45 minutes constructing after a client meeting. AI documentation reduces this to a review of a generated draft.
The GDPR dimension for financial advice
Client data in financial services is personal data under GDPR. For HNW clients, it often includes data about their financial situation, health conditions relevant to estate planning, family circumstances, and business interests. While most financial advisory client data is not Article 9 special category data, the combination of financial data with health or family information in estate planning or succession contexts may cross into special category territory.
Any cloud-based AI tool that processes client meeting audio becomes a data processor under GDPR Article 28, requiring a Data Processing Agreement. For EU-based advisors using US-hosted AI tools, the additional Article 46 transfer mechanism requirements apply — Standard Contractual Clauses, adequacy decisions, or Binding Corporate Rules.
The practical challenge: EU national competent authorities for financial services (BaFin, AMF) and data protection authorities (BfDI, CNIL) can both examine how client data is handled. An advisor using a US-hosted cloud AI tool without a valid Article 46 transfer mechanism is simultaneously exposed to both supervisory frameworks.
On-device processing removes the Article 28 obligation entirely. No audio reaches an external processor. The GDPR obligations remain those the advisor holds for any client record — but without a processor layer that requires a separate legal instrument and transfer mechanism.
Germany: BaFin, documentation culture, and Datenschutz
German financial advisors operate under BaFin supervision with documentation expectations that reflect Germany's compliance culture: thorough, formal, and paper-heavy. The Beratungsprotokoll (consultation protocol) for securities advice must document the basis of the advice, the client's information, and the reasons for the recommendation.
Germany's Datenschutz-Grundverordnung implementation (DSGVO) and the Bundesdatenschutzgesetz (BDSG) create one of the strictest data protection environments in the EU. German clients tend to be particularly sensitive about where their financial data is processed. An advisor who can tell a German HNW client that their consultation audio never leaves the advisor's device is providing a data protection guarantee that is both legally accurate and culturally compelling.
France: AMF requirements and client relationship culture
French independent financial advisors (Conseillers en Investissements Financiers, CIFs) operate under AMF registration and supervision. MiFID II suitability documentation requirements apply in full, with CNIL oversight of how client data is processed.
The French advisory relationship, particularly in wealth management, is built on discretion. Clients with significant assets managed through banques privées and family offices expect that the content of financial conversations remains within a defined circle of trust. A recording processed by a US cloud AI provider sits uneasily with this expectation — and with the AMF's expectation that client data is handled in accordance with GDPR.
On-device processing produces the same structured meeting notes while keeping the conversation on the advisor's device. For French wealth management practices where client discretion is a relationship differentiator, this is both a compliance position and a client communication.
The in-person client meeting in EU wealth management
EU wealth management is relationship-intensive. Quarterly reviews. Succession planning sessions with the client's notaire or Rechtsanwalt. Family governance meetings with multiple generations. Annual strategy sessions at the client's preferred location.
None of these happen on a Zoom call. Bot-based AI notetakers — the majority of cloud tools — cannot attend them. Kuulo records from the iPhone in any room, generating the structured suitability documentation regardless of whether the meeting was virtual or in-person.
For a wealth manager who conducts 6 client meetings per week — most of them in person — a tool that only works on video calls covers approximately 0% of the actual meeting load.
The five-year retention requirement
MiFID II requires that records of client communications be retained for five years. This means the meeting notes generated today must be producible in 2031. A cloud AI notetaker that operates on a subscription basis — with retention tied to the subscription — creates a data governance question: what happens to five years of meeting records if the advisor changes tools or the vendor shuts down?
On-device notes, stored on the advisor's device and exported to the firm's compliant record-keeping system, are not subject to the vendor's subscription status or data retention policies. The note exists on the advisor's infrastructure from the moment it is generated. The five-year retention obligation is met by the firm's own systems, not contingent on a vendor relationship remaining active.
Frequently asked questions
Does AI-generated suitability documentation satisfy MiFID II?
AI-generated meeting notes reviewed and confirmed by the advisor can form the basis of the suitability statement required under MiFID II Article 25(6). The advisor's review and attestation is the compliance instrument; AI is the drafting tool that reduces the time required to produce an accurate, complete record.
What GDPR obligations apply to EU financial advisors using AI notetakers?
Client meeting audio is personal data under GDPR. Any cloud AI tool processing it is a data processor under Article 28, requiring a DPA. US-hosted cloud tools additionally require an Article 46 transfer mechanism. On-device processing removes the Article 28 obligation — no DPA is required for a tool that processes data locally on the advisor's device.
How long must financial advisory meeting notes be retained under MiFID II?
MiFID II requires that records of client communications and suitability assessments be retained for five years (extended to seven years in some cases). On-device notes exported to the firm's compliant records system satisfy this without creating a vendor retention dependency.
Can EU financial advisors record in-person client meetings?
Yes, with client consent. On-device recording with Kuulo captures in-person client meetings — home visits, office meetings, family office sessions — that bot-based tools cannot attend. The structured suitability note is generated from the iPhone recording before the advisor leaves the meeting.